Menu

It’s a Matter of “When”, not “If”

No company is immune to some type of cyber security attack; it’s a rapidly growing industry. The returns are great, and there is very little risk to the perpetrator. It’s estimated the likely annual cost to the global economy from cybercrime is more than $400 billion– that’s with a “B.” (www.bloomberg.com).

On April 14, NICSA held its forum, “Cyber Security – Managing 21st Century Risk.” The sessions were designed with operation and business leaders in mind. I left the forum with several key messages, one being that cyber security is a business issue. As David Grady, vice president at State Street Corporation stated, “it takes a village to secure an environment.”

Senior leaders across every organization are stakeholders. They don’t need to understand the details, but it’s imperative they understand the big picture to understand the overall risk blueprint. One of the core challenges is not everyone speaks the same language and terminology– lawyers, information security, business leaders all have different languages and how they define risk. However, through proper governance, relationship building, and practice these barriers can be overcome.

To manage risk, it’s important to acknowledge the main components. The questions to be addressed are:

What data needs to be protected?

Where is the data located, and what are the devices that hold it?

Who has access to the data?

How do we protect the data?

Who is accountable?

Once these concepts are fully understood, a framework for protecting the infrastructure can be designed and constructed. Nonetheless, organizations are challenged. They must take a risk assessment approach to allocate their finite dollars and resources to areas of greatest exposure. Spending 75 percent of resources on managing a firewall, but not applying appropriate patches, may not be the most practical approach. Identifying where to apply your dollars and resources is a critical step in building a solid information security program.

Another key point I heard reiterated throughout the forum was that security incidents are a matter of “when” not “if.” Since that’s the case, it’s critical that organizations create and maintain a solid incident response plan including the following key elements:

Preparation

Identification

Containment

Remediation and recovery

Post incident analysis and lessons learned

Designing a thorough plan is critical to ensure all impacted parties have a clear understanding of their roles and responsibilities throughout the event. Specialties such as legal, compliance, human resources, and law enforcement should be involved in the plan at appropriate times to provide guidance in their areas of expertise. Panic and chaos may lead to an inadequate response– bracket the problem and prevent a crisis.

What does that mean exactly? Well, to put it in dollars and cents, the DST and Boston Financial security budget increased 100 percent from 2013 to 2015 and is expected to grow. Our program is based on the National Institute of Standards and Technology, and we leverage the expertise from companies like WhiteHat, Depth Security, McAfee, and Microsoft to safeguard our network. Our defensive in-depth layered approach is solid, with a core focus on detection and remediation.

Threat intelligence is also a major part of our program. We’re engaged with organizations like Financial Services Information Sharing and Analysis Center to improve our ability to be proactive. We migrated from a periodic assessment and testing schedule to continuous testing. We also strengthened our incident response program, which incorporates our parent companies to ensure an effective and solid plan.

Most would say the best offense is a good defense. We agree. As we progress through 2015, we’ll encounter new challenges and new threat actors. However, we’ve built a solid defense program and will continue to expand on it. As we have in the past, we’ll work tirelessly to protect what’s most valuable and most important to us– our clients.

If you are interested in this topic, Verizon produces an annual Data Breach Investigation Report (http://www.verizonenterprise.com/DBIR/) which is a fascinating analysis of threats, vulnerabilities, and actions that lead to security incidents. The information spans industries, but the themes are similar and the statistics are staggering. It’s worth checking out.

Edward McCune

Ed began his career with Boston Financial in 1998 and has held various positions within the DST Retirement Solutions (DST RS) organization. Through IFDS, Ed worked on assignments in Luxembourg and Dublin. In his current role within Corporate Marketing, Ed supports marketing and sales initiatives for Boston Financial and DST RS. Working closely with the Information Security team, he has become deeply involved with client due diligence and vendor oversight inquiries. Ed holds a BSBA in Finance from Nichols College.

Post navigation

Related Articles

Comments

Your comments mean a lot to us. We want to hear your perspectives, but please know that this section is being moderated and we reserve the right to edit or delete content at our discretion. Please keep your comments respectful and relevant.

Connect With Us

Subscribe

We appreciate your participation on the Perspectives blog. We encourage you to share our articles and join the conversation through comments. Remember that you are solely responsible for any content that you post. Please be respectful and keep confidential matters private. The thoughts and opinions of our readers are not endorsed by Boston Financial and we reserve the right to edit or delete comments at the discretion of the moderator.